Archive for the Category » Firewall «

Monday, October 08th, 2007 | Author:

I was trying out JanusVM in my VMware server. It’s a linux based OS with this few key components, openVPN, Squid, privoxy and Tor, packaged neatly into a VMware “appliance”.

Basically it provides a layer of security and privacy for most TCP based applications, like IM, web browsing, etc, even DNS requests are passed through Tor. Most importantly, it provides you with access to sites that are filtered off by your ISP transparent proxies.


Wednesday, November 09th, 2005 | Author:

Here I go again with my constant Cisco rant or rather rating on my incompetence.. LOL…

I was configuring a Lan-to-Lan VPN between 2 Cisco ASA5510. After going through the wizard, I actually changed the Group Tunnel Name to a more meaningful name rather than just ip address. Didn’t realise the impact till I can’t get the stupid tunnel up.

I did a debug crypto isakmp 255 and it starts throws out every damn low level stuff at me after i entered “terminal monitor”…
After going through the debug logs, I realised that isakmp fails as the group name is invalid. On that actual debug statement, it stated the group name is the ip address of my vpn peer.

Now that’s weird. I remembered in PIX 6.0, the syntax for creating the tunnel is crypto map tunnel-name, where the name doesn’t *MATTERS*. So I checked the configuration guide for ASA 7.0.

“Tunnel group name: Both remote access and LAN-to-LAN clients select a tunnel group by its
name, as follows:
– For IPSec clients that use preshared keys to authenticate, the tunnel group name is the same as
the group name that the IPSec client passes to the security appliance.”

So I configured tunnel-group type ipsec-l2l.

Viola… a wasted morning.

Category: Firewall, Technical  | Comments off
Friday, October 14th, 2005 | Author:

Another issue I have with Cisco PIX 7.0.

I have a server connecting to the PIX DMZ interface with the IP of This server is translated to an Inside IP and to an Outside internet routable IP.

When VPN users connect from outside, they want to access the DMZ server via the IP not the 172 IP.

They are able to connect to any host on the inside but unable to connect to the translated IP.

This is the static statement.
static (dmz,inside) netmask

My Networks
Inside :
VPN Pool :

I posted this question at Cisco NetPro forum, and I got this reply,


Category: Firewall, Network, Technical  | Comments off
Friday, October 14th, 2005 | Author:

access-list 90 permit ip host 203.X.X.X host 202.X.X.X1
access-list 90 permit ip host 203.X.X.X host 202.X.X.X2
nat (inside) 0 access-list 90
crypto dynamic-map dyna 20 match address 90

Guess what.. PDM won’t work with the above commands. The error I got was: “PDM do not support multiple uses of access list”

oohh.. man. I created the same ACL again but with another name and use it for the crypto.

Category: Firewall, Technical  | Comments off
Sunday, October 09th, 2005 | Author:

Configuring L2TP over IPSec for both Cisco PIX and Cisco Router on the Customer side.

Tricky things uncovered.
According to the documentation provided on how the L2TP is to be configured:

vpdn enable


vpdn-group 1
protocol l2tp
virtual-template 1
terminate-from hostname BB-GGSN1
local name CPE-L2TP-Router
l2tp tunnel password 0 secret

interface Virtual-Template1
ip unnumbered FastEthernet0
peer default ip address pool l2tp-pool01
ppp authentication pap

ip local pool l2tp-pool01

For the curious souls like me, how the hell the router knows who’s BB-GGSN1.. so I added:


Category: Firewall, Network, Security, Technical  | Comments off